Difference between revisions of "Grub2 password configuration"
(Created page with "<yambe:breadcrumb>Fedora|Fedora</yambe:breadcrumb> =grub2 password configuration= grub2-password was configured by using following steps as '''root''' user: # Run '<tt>grub2-...") |
m |
||
Line 2: | Line 2: | ||
=grub2 password configuration= | =grub2 password configuration= | ||
==Creating superuser with encrypted password== | |||
grub2-password was configured by using following steps as '''root''' user: | grub2-password was configured by using following steps as '''root''' user: | ||
# Run '<tt>grub2-mkpasswd-pbkdf2</tt>' and get password hash of desired password | # Run '<tt>grub2-mkpasswd-pbkdf2</tt>' and get password hash of desired password | ||
Line 7: | Line 8: | ||
#:<pre> | #:<pre> | ||
#:: set superusers="root" | #:: set superusers="root" | ||
#:: | #:: password_pbkdf2 root <password-hash> | ||
#:</pre> | #:</pre> | ||
# Run '<tt>grub2-mkconfig > /etc/grub2.cfg</tt>' | # Run '<tt>grub2-mkconfig > /etc/grub2.cfg</tt>' | ||
If plaintext password in /etc/grub.d/40_custom file is acceptable then use "password root <plain-text-password>" instead of "password_pbkdf2 root <password-hash>". | |||
==Creating other users== | |||
Similar to superuser other users can be created using: | |||
<pre> | |||
password_pbkdf2 root <password-hash> | |||
</pre> | |||
==Allowing access to OS without password== | |||
It is possible that after creating users grub starts asking password for all entries. If this is not desired then "--unrestricted" option needs to be added to corresponding menu entries. If the option is added to /etc/grub2.cfg directly then on using "grub2-mkconfig > /etc/grub2.cfg" the changes would be lost. Hence the option has to be added to config files in "/etc/grub.d/", so that it persists across grub2-mkconfig calls. This is slighly tricky and OS specific too. But for Linux a simple way is to edit /etc/grub.d/10_linux file and update value of CLASS variable such that it has "--unrestricted". Run "grub2-mkconfig > /etc/grub2.cfg" after /etc/grub.d/ files are modified for new changes to take effect. It is possible to verify effect of new changes by reading new /etc/grub2.cfg file. | |||
==Allow certain OS entries only to certain users== | |||
To allow access to few menu items (typically OS entries) to only selected grub users (Note that superusers will have full access to all entries and options), append "--users user1,user2" (that is comma separated user list without any quotes) in corresponding menu entries. To allow all users after authentication use "--users" without following it with any username. To allow only superuser one can use --user "", that is --user followed by empty quoted string. | |||
Steps learned from https://help.ubuntu.com/community/Grub2/Passwords |
Revision as of 03:06, 29 January 2015
<yambe:breadcrumb>Fedora|Fedora</yambe:breadcrumb>
grub2 password configuration
Creating superuser with encrypted password
grub2-password was configured by using following steps as root user:
- Run 'grub2-mkpasswd-pbkdf2' and get password hash of desired password
- Edit '/etc/grub.d/40_custom' file and append:
- set superusers="root"
- password_pbkdf2 root <password-hash>
- Run 'grub2-mkconfig > /etc/grub2.cfg'
If plaintext password in /etc/grub.d/40_custom file is acceptable then use "password root <plain-text-password>" instead of "password_pbkdf2 root <password-hash>".
Creating other users
Similar to superuser other users can be created using:
password_pbkdf2 root <password-hash>
Allowing access to OS without password
It is possible that after creating users grub starts asking password for all entries. If this is not desired then "--unrestricted" option needs to be added to corresponding menu entries. If the option is added to /etc/grub2.cfg directly then on using "grub2-mkconfig > /etc/grub2.cfg" the changes would be lost. Hence the option has to be added to config files in "/etc/grub.d/", so that it persists across grub2-mkconfig calls. This is slighly tricky and OS specific too. But for Linux a simple way is to edit /etc/grub.d/10_linux file and update value of CLASS variable such that it has "--unrestricted". Run "grub2-mkconfig > /etc/grub2.cfg" after /etc/grub.d/ files are modified for new changes to take effect. It is possible to verify effect of new changes by reading new /etc/grub2.cfg file.
Allow certain OS entries only to certain users
To allow access to few menu items (typically OS entries) to only selected grub users (Note that superusers will have full access to all entries and options), append "--users user1,user2" (that is comma separated user list without any quotes) in corresponding menu entries. To allow all users after authentication use "--users" without following it with any username. To allow only superuser one can use --user "", that is --user followed by empty quoted string.
Steps learned from https://help.ubuntu.com/community/Grub2/Passwords